quality assessment review readiness - iia global - theiia documents/quality assessment... · dallas...
TRANSCRIPT
Copyright 2005, The IIA Research Foundation
QUALITY ASSESSMENT REVIEW READINESS AN ANALYTICAL STUDY OF THE LEVEL OF READINESS FOR A QUALITY ASSESSMENT REVIEW OF THE INTERNAL
AUDIT FUNCTION AT ORGANIZATIONS OF VARIOUS SIZES AND OPERATING IN A VARIETY OF INDUSTRIES
Dallas Chapter of the Institute of Internal Auditors
Authors
Thomas Keils, CPA, Committee Chair Paula Whatley, CPA, Committee Co-Chair
Research Project Committee:
Alpa Parikh, ACCA Michael Mask Idris Buhidma Daniel Heyl
April 2005 (Survey Results: 2004 2005)
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 1
TABLE OF CONTENTS
I. Objective and Methodology........................................................................................... 2
II. Definition of Quality Assessment Review .................................................................... 3 i. Requirements and Timing ......................................................................................... 3 ii. The QAR Process...................................................................................................... 4
III. Survey ........................................................................................................................... 6 i. Survey Demographics ............................................................................................... 6 ii. Survey Results .......................................................................................................... 7
IV. Conclusion .................................................................................................................. 16
V. Works Cited................................................................................................................. 18
VI. Acknowledgement ..................................................................................................... 19
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 2
I. OBJECTIVE AND METHODOLOGY
The objective of this project is to provide benchmarking data to our chapter members by obtaining relevant, timely information related to the level of readiness for a Quality Assessment Review (QAR) of the internal audit function at organizations of various sizes and operating in a variety of industries. In keeping with the Progress Through Sharing motto, the intent of this paper is to provide our chapter members with valuable information to help them move toward their QAR with ease.
This paper is based on information gathered through the survey process as well as current literature on the subject of QAR. Our survey questions were focused in several areas:
Background Information size of entity and audit department
Purpose, Authority and Responsibility audit committee involvement, policies and tone-at-the-top
Independence and Objectivity consideration of independence and reporting of errors or omissions
Proficiency and Due Professional Care Code of Ethics and CPE
Quality Assessment Program timing and extent of prior and planned QARs
Management of the Internal Audit Activity identifying risk
Engagement Planning and Performance planning, documentation and SOPs (Standard Operating Procedures)
Communicating Results departmental reporting standards
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 3
II. DEFINITION OF QUALITY ASSESSMENT REVIEW
i. REQUIREMENTS AND TIMING
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. (The IIA Board of Directors Guidance Task Force) In today s environment the need for a quality, independent internal audit function is more critical than ever before. In addition, there is greater pressure from management for the internal audit function to provide value to the entity. The QAR process allows an internal audit function to measure itself against organization policies, stakeholder expectations, and industry best practices.
Quality Assurance Review is a fact of life for internal audit departments. The question is not if it is coming, but Will your internal audit department be ready when it arrives?
The IIA has been performing Quality Assessment Reviews since the 1980s. Originally The IIA was involved because some large members asked us to organize a peer review process that was somewhat limited. We did 10 to 20 of them a year for the Boeings, the IBMs, the Fords. Then on Jan.1, 2002, new quality assurance standards were introduced. (Stanek)
The IIA s Standards for the Professional Practice of Internal Auditing (Standards) require that internal auditing functions should have both internal and external quality assessments. This is a fundamental change in our profession until now, external quality assessment reviews were suggested in IIA guidelines but were not mandatory. Many internal auditing departments chose not to have external quality assessment reviews at all or did not have reviews on a regular basis, but effective January 1, 2002, external quality assessment reviews will be required at least once every five years. (Mandatory QAR Standards: Is Your Organization Ready?) These reviews are considered mandatory for more than 73,000 internal auditors because all Certified Internal Auditors and IIA members agree to abide by the IIA s Code of Ethics. The Code of Ethics requires that internal auditors perform their services in accordance with the Standards. In addition, many internal audit charters require that audit services be performed in accordance with the Standards. The need for quality assurance reviews is also recognized in other standards used by internal auditors, including government auditing standards and standards
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 4
developed for certified public accountants and chartered accountants in many countries. (Mandatory QAR Standards: Is Your Organization Ready?)
ii. THE QAR PROCESS
While the QAR process should include both internal and external assessments, the two serve different purposes. The internal assessments should provide for both ongoing and periodic reviews of the activities of the internal audit function by those familiar with the entity. External assessments should provide a thorough diagnostic review of the internal audit function. A typical assessment, whether internal or external, would follow the methodology outlined below:
Plan
Understand IA Objectives
Review IA Process
Deliver Findings
Look Ahead
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 5
In addition, the QAR team evaluates issues and ideas affecting the internal auditing department, including:
Partnering with management
Adding value by providing efficiency and effectiveness ideas to management
Integrating concepts of the business controls framework into the IA practice
Maximizing staff performance
Communicating effectively to staff and organization personnel
Developing staff, both personally and professionally
Using technology to increase efficiency and effectiveness
Establishing quality assurance programs (Internal Audit Quality Assurance review Methodology)
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 6
Response by Industry
Other8%
Gov't & Non-Profit10%
Financial Services
39%
Manufacturing10%
Energy10%
Retail15%
Telecom & Tech8%
Response by Country
USA92%
Canada8%
Response by Title
President3%
Vice President33%
Assistant Vice President
8%
Audit Director38%
General Auditor10%
Audit Manager8%
III. SURVEY
i. SURVEY DEMOGRAPHICS
In order to facilitate our survey we distributed thirty multiple-choice questions to members of the Dallas Chapter of the Institute of Internal Auditors via The Self-Assessor a web-based tool that supports self-assessments. We received 21 responses to the 231 assessments deployed in this manner, a 9% response rate. To further broaden our data pool we distributed 160 hard copies of the same thirty questions at the IIA s General Audit Management Conference (GAM). We received 39 responses to the 160 surveys handed out at GAM, a 24% response rate. In total we obtained a 15% response rate.
The following charts provide further demographic information on the responses received:
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 7
The survey questions were organized into eight categories. Each of these categories, with the exception of Background Information, was intended to represent an area of the Standards that should be followed by all internal audit departments and would therefore fall under scrutiny during the QAR process. Survey questions were determined based upon their applicability to all or the majority of internal audit functions and the probability that the answer to the question would lend insight into the internal audit functions readiness for a QAR in the near future.
ii. SURVEY RESULTS
In each area additional details are provided for questions where the answers provide insight useful in drawing conclusions. Please refer to the next few pages for detailed results.
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 8
Survey Results: Background Information 22%
0 - $ 500 million 15%
$ 500 million to $1 billion 37%
$1 billion to $5 billion 22%
$5 billion to $10 billion
What was the gross revenue of your company for the year ended December 31, 2004?
5%
Over $10 billion
52%
1 - 10 22%
11 - 20 10%
20 - 50
How many full time personnel are in your internal audit department?
17%
50 plus
10%
Less than one year ago 28%
1-5 years ago 7%
5-10 years ago
When was your internal audit department formed?
56%
10 plus years ago
63%
0% - Fully handled in house 27%
1% - 25% 3%
26% - 50% 3%
51% - 75%
What percentage of your organization's internal audit hours are outsourced?
3%
76% - 100%
63%
0% - 25% 27%
26% - 50% 7%
51% - 75%
What percentage of your organizations internal audit hours are related to information technology auditing?
3%
76% - 100%
Gross Revenue Of Respondents
05
10152025
$ 0 - $500
million
$ 500million to$1 billion
$1 billionto $5billion
$5 billionto $10billion
Over $10billion
Gross Revenue
Nu
mb
er o
f R
esp
on
den
ts
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 9
Survey Results: Purpose, Authority, and Responsibility 97%
Yes
Do you have an audit committee charter or similar document relating to the Boards oversight of the internal audit activity or other monitoring functions?
3%
No
92%
Yes
Is your charter current and relevant in view of any significant changes in the organization and/or the Institute of Internal Auditor Standards?
8%
No
8%
Monthly 85%
Quarterly
How often does the Chief Auditing Executive meet with the audit committee? 7%
Annually
98%
Yes
Does the company have policies and procedures in place to allow your Internal Audit department to access records and information throughout the organization without restriction?
2%
No
82%
The need and usefulness of IA is recognized
12%
IA is supported, but only via specific request
How would you rate the tone-at-the-top, in regards to management's attitude toward the internal audit function, in your organization?
7%
IA is provided assistance only when convenient
Organizations w ith an Audit Committee Charter
With97%
Without3%
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 10
Survey Results: Independence and Objectivity 52%
Yes
Is there a formal process for considering objectivity and independence prior to assigning internal audit staff to an engagement?
48%
No
2%
Only members of the internal audit staff
96%
To all parties issued the initial final report
If errors or omissions are identified in a final communication subsequent to issuance of that document what parties in your organization will receive a copy of the addendum report? 2%
There will be no addendum report
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 11
Survey Results: Proficiency and Due Professional Care 33%
Integral part of IA staff training/evaluation
27%
All IA staff are familiar with the Code
27%
Only a select few are familiar with the Code
How aware are you internal audit staff of The Professional Practices Framework Code of Ethics?
13%
The Code is not an integral part of IA function
43%
Mandatory CPE requirements for all IA staff
35%
Requirements for IA staff with certifications
Do you have CPE requirements for your internal audit staff?
22%
No formal CPE requirements for any IA staff
73%
Always 22%
More often than not 3%
Sometimes
When assigning internal audit staff to engagements is their knowledge, skills and experience taken into consideration? 2%
Never
Skills Taken Into Account When Assigning Engagements
22%
2%3%
73%
Always
More Often ThanNotSometimes
Never
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 12
Survey Results: Quality Assessment Program 2%
More than 10 years ago 8%
More than 5, less than 10 years ago
23%
In the last 5 years
When did your organization's internal audit department last have an external quality assessment review performed?
67%
N/A
21%
The Institute of Internal Auditors
5%
Your external auditor at the time
26%
Big 4 accounting firm, not your external auditor
If your organization's internal audit department has had a quality assessment review who performed it?
47%
Another third party
56%
Yes, by January of 2007 3%
Yes, after January of 2007 7%
I do not know
Does your company's internal audit department plan to have a quality assessment review in the next year?
34%
No
29%
The Institute of Internal Auditors
9%
Your external auditor at the time
15%
Big 4 accounting firm, not your external auditor
6%
Other accounting firm, not your external auditor
If your organization's internal audit department does plan to have a quality assessment review in the next year, who has been or likely will be selected to perform that review?
41%
Another third party
44%
Yes
Does your organization perform ongoing reviews of the performance of the internal audit function through self-assessment or by other persons within the organization, independent of the internal audit function?
56%
No
53%
Full scope assessment
When your organization has its next quality assessment review do you anticipate using:
47%
Self-assessment with independent validation
Plan for QAR in Next Year
56%
3%7%
34%
Yes, after January2007
Yes, after January2007
I do not know
No
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 13
Survey Results: Management of the Internal Audit Activity 10%
Excellent 52%
Good 35%
Fair
How would you rate your process to identify, measure and manage enterprise risk?
3%
Poor
38%
Always 43%
More often than not 17%
Sometimes
During the planning process does the company consider the risk framework, strategic business plan and technology plan? 2%
Never
Monitoring Enterprise Risk
Excellent10%
Good52%
Fair35%
Poor3%
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 14
Survey Results: Engagement Planning and Performance 60%
Always 30%
More often than not
Internal audit considers the probability of significant errors, irregularities, noncompliance and other exposures when developing the engagement objectives?
10%
Sometimes
58%
Always 22%
More often than not 17%
Sometimes
My organization's internal audit department utilized formal audit work programs?
3%
Never
68%
Always 25%
More often than not
Internal audit engagements are properly supervised to ensure objectives are achieved, quality is assured and staff is developed?
7%
Sometimes
15%
Optimal 59%
Sufficient 17%
Insufficient
How would you rate the completeness and usefulness of your Standard Operating Procedures?
8%
Non-existent
77%
Always
The internal audit function follows the organization's policies and procedures related to record retention?
23%
More often than not
05
10152025303540
Number of Responses
Always Sometimes
Frequency of Supervision
Supervision on Engagements
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 15
Survey Results: Communicating Results 70%
Yes and follows the IIA Framework
22%
Yes, but it does not follow the IIA Framework
2%
Not formal, but follows the IIA Framework
Is there are formal process to communicate internal audit results to management and the audit committee?
7%
No formal process or guidelines
40%
Yes
Is there a formal process for communication of noncompliance with the International Standards for the Professional Practice of Internal Auditing or the Code of Ethics to senior management and the board?
60%
No
QAR Based on Gross Revenue
05
10152025
$ 0 - $500
million
$ 500millionto $1billion
$1billionto $5billion
$5billionto $10billion
Over$10
billion
Gross Revenue
Nu
mb
er o
f R
esp
on
den
ts
Respondents
QAR
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 16
IV. CONCLUSION
An overwhelming majority of those responding to this survey appear to have active audit committees with current and relevant charters. There was also general agreement that the management of their organizations provided an appropriate tone-at-the-top. This is encouraging, as these corporate attitudes will help promote an effective internal audit function.
It appears that a large number of organizations do not ensure that all internal audit staff are familiar with the Code of Ethics. However, well over half indicated that internal audit engagements are always properly supervised to ensure quality, always utilized formal audit work programs and considered the probability of significant errors during the planning process.
In June and July of 2003 the results of an IIA quick poll indicated that 61% of respondents had not undergone a QAR in the past five years and did not have any immediate plans for a QAR. Responses to this survey indicate that while 56% do not perform ongoing self-assessment, 23% of the responders to our survey have undergone a QAR in the last five years and 56% plan to have a QAR prior to the January 2007 deadline. This shift in attitude indicates that more focus is being placed on quality than in the recent past. However, in today s environment internal audit shops and professionals see the benefits of having a QA and know that peer review helps legitimize us as a profession. (Stanek)
Although the IIA does not have regulatory authority to impose sanctions on internal auditors that do not comply with the QAR requirements, the number of QARs performed is expected to rise rapidly over the next few years. For those organizations that have never undergone a QAR it might seem to be a daunting process. There are several things that these organizations can do to prepare and ensure that the process is as painless as possible:
Get familiar with both the Standards and the Code of Ethics
Determine if there is room for immediate improvements within your organization
Review information related to QAR from the IIA. This information included the Quality Assurance Review Manual and Practice Advisories
Network with other internal auditors to gain insight into what other departments are doing related to QAR
Consider obtaining training by attending an IIA seminar on QAR
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 17
While preparing for a QAR can be time-consuming and costly the benefits far out weigh the costs. The QAR should provide assurance to stockholders and other third parties, improve efficiency thereby lowering audit cost, and benchmark practices against industry standards. In addition to the benefits derived from the QAR, the process of preparing for the review should provide the department with a clearer understanding of their mission and how to perform it effectively and efficiently.
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 18
V. WORKS CITED
"Internal Audit Quality Assurance review Methodology." KnowledgeLeader provided by Protiviti. 13 Nov. 2000. KnowledgeLeader. 24 Feb. 2005 <http://www.knowledgeleader.com/InternalAudit/website.nsf/print/MethodologiesModelsInternalAudit>.
"Mandatory QAR Standards: Is Your Organization Ready?." The Institute of Internal Auditors. 24 Feb. 2005 <http://www.theiia.org/index.cfm?act=content.print&doc_id=2212>.
Stanek, Steve. "Internal Audit and Quality Assessment - Advice on Meeting the New Standard." KnowledgeLeader provided by Protiviti. 09 Aug. 2004. KnowledgeLeader. 25 Feb. 2005 <http://www. knowledgeleader.com/InternalAudit/website.nsf/print/HotIssuesIAQualityAssessment>.
The IIA Board of Directors' Guidance Task Force. The Professional Practices Framework. Altamonte Springs: The Institute of Internal Auditors, 2004.
Quality Assessment Review Readiness
Dallas Chapter of The Institute of Internal Auditors 19
VI. ACKNOWLEDGEMENT
We would like to express our appreciation to Protiviti for all the support, both monetarily and in personnel time, that was dedicated to this effort.